store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Thu Sep 18, 2014 9:44 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: Duel Rulesets
Unread postPosted: Sun Mar 11, 2012 8:04 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Jan 21, 2012 6:37 pm
Posts: 107
Location: Canada
Hi,

I would have opened a support ticket for some reason my login isn't working on the support portal. Works fine on the License screen?

Anyway This problem came out of no where. I'm guessing it's something with cpanel. I originally had the ASL rules installed manually myself with delayed rules I removed all those, but somehow I still seem to have an error about mod_security2 being already loaded on the asl -s -f command. I don't have mod_security during easy appache so I know this isn't the problem.

I search around and found asl seems to be updating rules in /usr/local/apache/modesecurity.d/ (These are dated march 12th default server time) but there is also a set of rules in /var/asl/rules (these are dated march 11th)

the modsecurity.d folder seems to not have all the rules. Is this normal?
About 2 weeks ago my apache process size jumped from around 80MB to 110 so I'm assuming something is loading that shouldn't be.

Any suggestions are welcome. :)

Shawn


Top
 Profile  
 
 Post subject: Re: Duel Rulesets
Unread postPosted: Tue Mar 13, 2012 10:08 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2049
I don't know how cpanel configures apache things, so I can't give you a definitive answer.

I suspect you just have two places where the mod_security module is being loaded, as opposed to two sets of rules being loaded.

In a Plesk-based full-fat ASL install, the rules are in /etc/httpd/modsecurity.d.

And in /etc/httpd/conf.d there's an 000_modesecurity.conf (or something like that) with a module load command, that is configured to specifically load only rules from modsecurity.d

The rules in /var/asl/rules/modsecurity(I think) are the "master" rules (as downloaded) that get copied to modsecurity.d every few minutes and when you run asl -s -f

I suspect you may also have a mod_security module load in apache.conf or httpd.conf or whatever cpanel uses, or possibly two files in the cpanel equivalent of /etc/httpd/conf.d

Like I say, I can't be specific for cpanel as I don't know it, so all this is general pointers, not specific instructions.

Faris.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: Duel Rulesets
Unread postPosted: Fri Mar 16, 2012 6:52 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Jan 21, 2012 6:37 pm
Posts: 107
Location: Canada
I seem to have two configs, if I rename or comment out either of them and run asl -s -f

It replaces both of them.

I have one in
/usr/local/apache/conf.d/00_mod_security.conf

Other is in
/usr/local/apache/conf/modsec2.conf

Both have the same contents below.
Code:
# ASL mod_security Template: /var/asl/data/templates/template-01_mod_security.conf
# Special custom version for cpanel environments

LoadModule security2_module modules/mod_security2.so

<IfModule mod_security2.c>
        # Basic configuration goes in here
        Include modsecurity.d/tortix_waf.conf

        # Rule management is handled by ASL
        Include modsecurity.d/00*exclude.conf
        Include modsecurity.d/*asl*.conf
        Include modsecurity.d/99*exclude.conf

</IfModule>


I know this is the issue. cause if I comment one out and run httpd -M I don't get an [warn] that security2_module is already loaded. Where I do if both are normal.

Now that another problem is fixed my apache process size is 154MB This seems too big? or is it?

Just not sure what the solution would be if asl is re-creating both this files after running asl -s -f

Shawn


Top
 Profile  
 
 Post subject: Re: Duel Rulesets
Unread postPosted: Fri Mar 16, 2012 6:57 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3631
Location: Chantilly, VA
Quote:
I have one in
/usr/local/apache/conf.d/00_mod_security.conf

Other is in
/usr/local/apache/conf/modsec2.conf


Are you sure that /usr/local/apache/conf/modsec2.conf isn't a symlink to /usr/local/apache/conf.d/00_mod_security.conf?

Quote:
Now that another problem is fixed my apache process size is 154MB This seems too big? or is it?


Thats normal. mod_security caches it rules to speed up processing.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Duel Rulesets
Unread postPosted: Fri Mar 16, 2012 7:03 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Jan 21, 2012 6:37 pm
Posts: 107
Location: Canada
mikeshinn wrote:
Quote:
I have one in
/usr/local/apache/conf.d/00_mod_security.conf

Other is in
/usr/local/apache/conf/modsec2.conf


Are you sure that /usr/local/apache/conf/modsec2.conf isn't a symlink to /usr/local/apache/conf.d/00_mod_security.conf?

Quote:
Now that another problem is fixed my apache process size is 154MB This seems too big? or is it?


Thats normal. mod_security caches it rules to speed up processing.


Ah it is system link. :)

I checked by editing one and seeing that the other one changed also.

So the duel loading of modsecurity2 is normal? Thanks for your help mike. :)


Quote:
Now that another problem is fixed my apache process size is 154MB This seems too big? or is it?


Quote:
Thats normal. mod_security caches it rules to speed up processing.


Okay thats good to know. :)

below is httpd -M command
Code:
 [warn] module security2_module is already loaded, skipping
Loaded Modules:
 core_module (static)
 authn_file_module (static)
 authn_dbm_module (static)
 authn_dbd_module (static)
 authn_default_module (static)
 authn_alias_module (static)
 authz_host_module (static)
 authz_groupfile_module (static)
 authz_user_module (static)
 authz_dbm_module (static)
 authz_default_module (static)
 auth_basic_module (static)
 auth_digest_module (static)
 include_module (static)
 filter_module (static)
 deflate_module (static)
 log_config_module (static)
 logio_module (static)
 env_module (static)
 expires_module (static)
 headers_module (static)
 unique_id_module (static)
 setenvif_module (static)
 version_module (static)
 proxy_module (static)
 proxy_connect_module (static)
 proxy_ftp_module (static)
 proxy_http_module (static)
 proxy_scgi_module (static)
 proxy_ajp_module (static)
 proxy_balancer_module (static)
 ssl_module (static)
 mpm_prefork_module (static)
 http_module (static)
 mime_module (static)
 dav_module (static)
 status_module (static)
 autoindex_module (static)
 asis_module (static)
 info_module (static)
 suexec_module (static)
 cgi_module (static)
 dav_fs_module (static)
 dav_lock_module (static)
 negotiation_module (static)
 dir_module (static)
 actions_module (static)
 userdir_module (static)
 alias_module (static)
 rewrite_module (static)
 so_module (static)
 cloudflare_module (shared)
 dav_svn_module (shared)
 authz_svn_module (shared)
 security2_module (shared)
 qos_module (shared)
 bw_module (shared)
 bwlimited_module (shared)
 suphp_module (shared)
Syntax OK


Top
 Profile  
 
 Post subject: Re: Duel Rulesets
Unread postPosted: Fri Mar 16, 2012 9:20 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2049
Loading it, or rather attempting to load it twice isn't normal normal, but Scott will have to tell us if it is normal with cpanel.

I don't get why there's both a "real" and a symlink to it being looked at by apache, but maybe that is normal for cpanel.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: Duel Rulesets
Unread postPosted: Sat Mar 17, 2012 12:07 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7901
Location: earth
Fortunately it doesnt load twice, but yeah this is problem with the way cpanel does its configs. They dont follow the conf.d layout, which frankly would solve a lot of their problems if they did. For those of you not familiar with it, this is the standard everyone, OS vendors, Linux software vendors, etc. agreed on using with the enterprise distros way back in the 90s. You invoke your include as such:

Include /etc/httpd/conf.d/*.conf

1) any file ending in .conf will be loaded, and
2) they are loaded in alphanumeric order. Ex: 01_php.conf is loaded before php.conf

When I was first mapping the way cpanel configs were laid out, the whiteboard wasnt big enough so I had to use a roomfull of sliding glass doors and a dry erase marker. (Include referencing an include, referencing an include)

So anyway, when the double load warning does come up it is not a problem if you are using ASL. Because we force them into the conf.d layout, and that ensures that the load order is correct.


Top
 Profile  
 
 Post subject: Re: Duel Rulesets
Unread postPosted: Fri Apr 06, 2012 2:48 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Jan 21, 2012 6:37 pm
Posts: 107
Location: Canada
Yeah I'm not sure why they do that... I heard they are switching at some point though.

However I solved my problem here myself. It was loading two full rulesets. I'm still not sure how exactly but if I commented out that line in the 00_mod_security.conf. mod_security wasn't loading at all. With it in it was loading twice. So I just moved that load line into the cpanel pre_main configuration and edited the ASL template to not load it also. This seems to have worked for now. Although I guess I'll have to keep patching it, but now I'm at 70MB per process (not using antispam right now) This looks correct now.

Unless someone has a solution as to why. It seems like the .conf file must have been being loaded twice somehow, but with all the 17 million cpanel config files it's a pain to track down where that's happening lol.

EDIT Nevermind I found out where it was in the main httpd.conf
Code:
[b]Include /etc/httpd/conf.d/*.conf[/b]

Include "/usr/local/apache/conf/includes/pre_main_global.conf"
Include "/usr/local/apache/conf/includes/pre_main_2.conf"

LoadModule qos_module modules/mod_qos.so
LoadModule bw_module modules/mod_bw.so
LoadModule bwlimited_module modules/mod_bwlimited.so

[b]Include /etc/httpd/conf.d/*.conf[/b]
Include "/usr/local/apache/conf/mod_bandwidth.conf"
Include "/usr/local/apache/conf/php.conf"
Include "/usr/local/apache/conf/includes/errordocument.conf"


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Bing [Bot] and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group